Novell is now a part of Micro Focus

My Favorites


Please to see your favorites.

How to renew invalid or expired eDirectory server certificates

This document (7013080) is provided subject to the disclaimer at the end of this document.


NetIQ eDirectory
NetIQ iManager


How to renew expired eDirectory server certiifcates.
Server certificates are invalid or expired.
Repair default server cerificates.


First make sure the Tree Certificate Authority is valid.   If it is valid for less than two years, you may want to consider recreating the Tree CA, as this process will rekey the server certificates for up to two years or the expiration of the Tree CA, whichever comes first.

  1. Login in iManager as Admin.
  2. Roles & Tasks | Novell Certificate Server | Configure Certificate Authority
  3. Select the Certificates Tab
  4. Click on both of the Organizational CA certificate and Self Signed Certificate, one at a time.
  5. Review the Expiration Date for each certificate and verify it is at least 2 years out.
  6. If you need to recreate the tree CA, you can use TID 7013047 - How to renew an expired Certificate Authority (CA) as a reference.

Then follow the steps below to Repair Default Server certificates for eDirectory servers:
  1. Login in iManager as Admin.
  2. Roles & Tasks | Novell Certificate Server | Repair Default Certificates
  3. Select the server(s) which will own the certificates and click Next
  4. Select Yes All Default Certificates will be overwritten and click Next
  5. Review the tasks to be performed and select Finish

Alternatively, you can do the following using a Linux server:

  1. iManager | View Objects | Manually delete the server's certificate objects from the TREE.
  2. From a terminal on the eDirectory Linux server:
    ndsconfig upgrade -j
    Note: The utility will detect the missing server certificates and re-create them.

Please note that the LDAP server will not pickup these new certificates until restarted with the following commands (Linux):
nldap -u
nldap -l


Server certificates are invalid and/or expired and need to be re-created.

Additional Information

If there are problems accessing iManager on the eDirectory servers, please consider the steps provided in TID 7013239 - How to configure Workstation iManager on a Windows desktop for certificate administration.

If there is a problem renewing the default server certificates, perhaps there is a problem with the Certificate Authority (CA).
Please see the preliminary steps to validate the CA from TID 7013047 - How to renew an expire Certificate Authority (CA)

If recreating certificates on an Open Enterprise Server (OES), please consider the coolsolution  "Certificate Re-creation Script for OES1, OES2 and OES 11".


This Support Knowledgebase provides a valuable tool for NetIQ/Novell/SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:7013080
  • Creation Date:20-AUG-13
  • Modified Date:24-MAR-17
    • NetIQeDirectory

Did this document solve your problem? Provide Feedback